Go to listing page

Cyware Weekly Threat Intelligence, April 13 - 17, 2020

Cyware Weekly Threat Intelligence, April 13 - 17, 2020

Share Blog Post

The Good

The COVID-19 outbreak has spelled doom across the world, forcing several organizations to adopt teleworking. Medical staff and physicians are no exception. Therefore, in order to promote good cybersecurity hygiene, the American Medical Association (AMA) and the American Hospital Association (AHA) have jointly released guidelines for the remote work environment to better defend against threats that could disrupt patient care. Also, given the critical nature of the current pandemic, the Office for Civil Rights (OCR) has lifted HIPAA penalties for community-based testing sites to ease the operations of healthcare providers.

  • Google has adapted its machine learning models to improve Gmail’s security against COVID-19-themed phishing email attacks. Using these models, the company has blocked 18 million such emails last week.
  • The American Medical Association (AMA) and the American Hospital Association (AHA) have jointly released cybersecurity guidelines for physicians who are working from home and using their personal computers and mobile devices to take care of patients. The initiative has been taken following the rapid increase in cyber threats against telework technologies due to the ongoing COVID-19 crisis.
  • The Office for Civil Rights (OCR) has announced that it will lift penalties around HIPAA compliance for 19 community-based testing sites during the pandemic. Previously, the agency had also carved out exceptions for business associates, first responders, and telehealth use to ease operations during the COVID-19 pandemic.

The Bad

The week saw millions of personal details and login credentials of customers being sold on underground forums. The data belonged to people associated with Zoom, Quidd, and Wappalyzer. While user data stolen from Quidd was sold for free, the user details stolen from other affected companies were tagged at an alluring price.

  • Nearly 530,000 Zoom login credentials were put up for sale on hacker forums for a price of $0.0020 per account. The hacker(s) had gathered these account details from third-party data breaches rather than hacking Zoom directly.
  • Personal and contact details of 1.41 million US-based doctors stolen from qa.findadoctor[.]com were also put up for sale by a cybercriminal. The compromised data included full names, genders, locations, mailing addresses, country, phone numbers, and license numbers of doctors.
  • Travelex paid a ransom of $2.3 million in Bitcoin to recover from a ransomware attack that occurred during the New Year’s eve of 2020. The Sodinokibi ransomware operators had stolen nearly 5 GB of data from the firm during the attack.
  • Account details of 4 million Quidd users also landed up in underground hacking forums. A hacker named PROTAG took the credit for the breach and had previously put the same data for sale.
  • DopplePaymer operators released confidential data of Visser Precision that provided parts to military and aerospace companies like Lockheed Martin, Tesla, SpaceX, and Boeing.
  • Portuguese multinational energy giant, Energias de Portugal (EDP), fell victim to the RagnarLocker ransomware. The operators demanded a ransom of $10.9 million in bitcoin to return 10 TB of documents stolen from the firm.
  • Operations at two Manitoba law firms were halted following ransomware attacks. The incidents had left the staff with no access to their computer systems, locking out digital files, emails, and data backups.
  • Linksys asked its customers to reset their passwords after its routers were targeted in a COVID-19-themed malware attack campaign. The malware was delivered via a fake website that prompted users to download and install an application that offered information about COVID-19.
  • Wappalyzer disclosed that it was affected in a security breach that affected nearly 16,000 of its users. The incident came to light after the firm discovered that details of some of its users were put on sale on the dark web.

New threats

Talking about threats, security researchers unearthed three new malware capable of performing a variety of malicious activities. The three newly discovered malware were Mozi botnet, PoetRAT, and Speculoos backdoor. On the other hand, academics demonstrated a new attack technique called AiR-ViBeR, that could be used to pilfer data from air-gapped systems.

  • A new variant of AgentTesla was seen in new malspam campaigns observed during March and April 2020. The malware variant was distributed via an encrypted image resource named REZer0V2.
  • Kpot v2.0 trojan made a comeback in a COVID-19-themed attack campaign that targeted Internet Explorer users. The malware was distributed through the Fallout exploit kit embedded in malicious advertisements on websites.
  • Several new malware like the Mozi botnet, PoetRAT, and Speculoos backdoor were also unearthed this week. While the Mozi botnet targeted home routers and DVRs along with other IoT devices, PoetRAT was used to target the Azerbaijan government and energy sector. Speculoos backdoor was delivered in a cyberespionage campaign that exploited a vulnerability in Citrix’s ADC, Gateway, and SD-WAN.
  • Talking about ransomware activity, the crew behind Sodinokibi ransomware shifted from Bitcoin to Monero for ransom payments to hide the money trail from law enforcement agencies. Meanwhile, the operators of Nemty ransomware announced to shut down their operations completely.
  • A new campaign, dubbed ‘Project Spy’ distributed spyware through a fake ‘Coronavirus Update’ app to infect Android and iOS devices. The app gained a small number of downloads in Pakistan, India, Afghanistan, Bangladesh, Iran, Saudi Arabia, Austria, Romania, Grenada, and Russia.
  • Academics demonstrated a new attack technique named Air-ViBeR that used vibrations from GPU, CPU or PC chassis fans to broadcast data stolen from air-gapped systems.
  • A change in policy on Pastebin, that includes discontinuation of a service that charged users a one-time fee of $50 to search the site for new data, is believed to make it more difficult to stop hackers from abusing it. Some experts indicate that this change could hamper the research efforts of security professionals.
  • US taxpayers were targeted by a new variant of NetWire RAT that is designed to steal credentials and tax information from victims. The malware was distributed via IRS-themed phishing emails that carried an attachment with a legacy Microsoft Excel 4.0 macro to evade detection.
  • Banks in Spain and Portugal came under cyberattacks after attackers used Grandoreiro banking trojan and an Android banking trojan respectively to stealing banking details from customers.


agenttesla keylogger
sodinokibi ransomware
speculoos backdoor
project spy
mozi botnet
zoom login credentials
american medical association ama

Posted on: April 17, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite